aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoland Shoemaker <roland@golang.org>2024-02-07 13:05:59 -0800
committerRoland Shoemaker <roland@golang.org>2024-05-09 22:43:14 +0000
commite0aab32c7f90882ad2f6e52c03de0e22e2af5b31 (patch)
tree18f15f94e57c3fb1a31e903b2664371b3ccef17f
parentf4bb7b9186ecfa6dc0ce31891b87dd8a9831476f (diff)
downloadgo-e0aab32c7f90882ad2f6e52c03de0e22e2af5b31.tar.gz
go-e0aab32c7f90882ad2f6e52c03de0e22e2af5b31.zip
crypto/x509: reject critical SKI extensions
Updates #65085 Change-Id: I8a00fff6b2af4e55bcb88456813b5ee1f7b1c01d Reviewed-on: https://go-review.googlesource.com/c/go/+/562344 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Diffstat
-rw-r--r--src/crypto/x509/parser.go4
-rw-r--r--src/crypto/x509/x509_test.go25
2 files changed, 29 insertions, 0 deletions
diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
index 726409e988..001b001775 100644
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@@ -741,6 +741,10 @@ func processExtensions(out *Certificate) error {
}
case 14:
// RFC 5280, 4.2.1.2
+ if e.Critical {
+ // Conforming CAs MUST mark this extension as non-critical
+ return errors.New("x509: subject key identifier incorrectly marked critical")
+ }
val := cryptobyte.String(e.Value)
var skid cryptobyte.String
if !val.ReadASN1(&skid, cryptobyte_asn1.OCTET_STRING) {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 0f528d4cc2..a29f914c8e 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -4035,3 +4035,28 @@ func TestRejectCriticalAIA(t *testing.T) {
t.Fatalf("ParseCertificate() unexpected error: %v, want: %s", err, expectedErr)
}
}
+
+func TestRejectCriticalSKI(t *testing.T) {
+ template := Certificate{
+ SerialNumber: big.NewInt(1),
+ Subject: pkix.Name{CommonName: "Cert"},
+ NotBefore: time.Unix(1000, 0),
+ NotAfter: time.Unix(100000, 0),
+ ExtraExtensions: []pkix.Extension{
+ {
+ Id: asn1.ObjectIdentifier{2, 5, 29, 14},
+ Critical: true,
+ Value: []byte{1, 2, 3},
+ },
+ },
+ }
+ certDER, err := CreateCertificate(rand.Reader, &template, &template, rsaPrivateKey.Public(), rsaPrivateKey)
+ if err != nil {
+ t.Fatalf("CreateCertificate() unexpected error: %v", err)
+ }
+ expectedErr := "x509: subject key identifier incorrectly marked critical"
+ _, err = ParseCertificate(certDER)
+ if err == nil || err.Error() != expectedErr {
+ t.Fatalf("ParseCertificate() unexpected error: %v, want: %s", err, expectedErr)
+ }
+}
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion